Advice on using this handbook
Because organisations vary greatly in size, the extent to which their activities intrude on privacy, and their experience in dealing with privacy issues makes it difficult to write a ‘one size fits all’ guide. The purpose of this handbook is to be comprehensive. It is important to note now that not all of the information provided in this handbook will be relevant to every project that will be assessed.
The handbook is split into two distinct parts. Part I (Chapters I and II) are designed to give background information on the privacy impact assessment (PIA) process and privacy. Part II is a practical “how to” guide on the PIA process. The handbook’s structure is intended to enable a reader who is knowledgeable about privacy to quickly start working on the PIA. Background information on privacy and PIAs is provided for other readers who would like some general information prior to starting the PIA process.
It is also important to note that some of the recommendations in this handbook may overlap with work which is being done to satisfy other requirements, such as information security and assurance, other forms of impact assessment or requirements to carry out broader consultations during the development of a project. A PIA does not have to be conducted as a completely separate exercise and it can be useful to consider privacy issues in a broader policy context.
The term ‘project’ is used in this handbook to refer to whatever the activity or function is that the organisation is assessing. However, for the purposes of this handbook it could equally refer to a system, database, program, application, service or a scheme, or an enhancement to any of the above, or an initiative, proposal or a review, or even draft legislation.
Finally, the information in this handbook is provided purely as guidance to organisations, to assist them in making their own judgements for each project that they undertake which has potential privacy impacts. Each organisation is encouraged to use the handbook to devise and implement a PIA process that is appropriate to their circumstances.